I have two policies which are supposed to modify the setting, and the they do not seem to be proccessed the way I believe they should.
The two policies control the the visibility of the administrative tools on the start menu setting.
Show_Admin_Tools:
- Applies to Domain Admins, and nothing else
- Linked at the root only
- Link order position = 1
Hide_Admin_Tools:
- Applies to Authenticated Users
- Linked at the root only
- Link order position = 2
There is no loopback processing, policies are not enforced, and inheritence is not blocked.
When gpupdate is run as an administror... the Administrative Tools link does not show on the Start Menu. If it is manually turned on, it is removed again at GP refresh. Checking Group Policy results on a machine shows shows three GPO applications, in the following sequence: first the Authenticated Users GPO, then the Domain Admins GPO, then the Authenticated Users GPO again.
Unfortunately, I am unable to provide a graphic of the GP result, due to security issues.
Can anyone explain why the Authenticated Users GPO would apply last, even though it has already been applied and the link order seems to suggest that the show tools policy should take precedence? How do I use group policies to display the admin tools for admins, and hide them for everyone else?
"How do I use group policies to display the admin tools for admins, and hide them for everyone else?"
Add a deny ACE for Domain Admins for "Apply Group Policy" on the Hide_Admin_Tools GPO.
Also check you haven't enforced one or more of the policies (yellow lock on the icon), it's not necessary (I'm not sure exactly how it changes precedence). Also, google group policy loopback processing. I have no idea exactly what it does (as it's not necessary in most situations) but it also affects the precedence, so you might want to make sure it's turned off.